Skip to main content

Big Ip Access Policy Manager Client CVE-2018-5546

HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2018-08-17 f5sirt@f5.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 17, 2018 - 12:29 nvd
HIGH 7.8

DescriptionNVD

The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host.

AnalysisAI

The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host. Affected products include: F5 Big-Ip Access Policy Manager Client, F5 Big-Ip Access Policy Manager. Version information: version 7.1.7.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.

CVE-2020-5897 HIGH
8.8 May 12

In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX componen

CVE-2023-43125 HIGH
8.2 Sep 27

BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Rated high severity (CVSS 8.2), this vulnerability is

CVE-2022-28714 HIGH
7.8 May 05

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6

CVE-2021-23022 HIGH
7.8 Jun 10

On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's

CVE-2020-5896 HIGH
7.8 May 12

On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder

CVE-2018-5547 HIGH
7.8 Aug 17

Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy lo

CVE-2019-6656 HIGH
7.5 Sep 25

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Rated hig

CVE-2024-28883 HIGH
7.4 May 08

An origin validation vulnerability exists in BIG-IP APM browser network access VPN client for Windows, macOS and Linux w

CVE-2023-43124 HIGH
7.1 Sep 27

BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Rated high severity (CVSS 7.1), this vulnerability is

CVE-2018-15332 HIGH
7.0 Dec 06

The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process

CVE-2020-5892 MEDIUM
6.7 Apr 30

In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attack

CVE-2022-27636 MEDIUM
5.5 May 05

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6

Share

CVE-2018-5546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy